Technical Overview
AmanoWatch is designed to sit at the edge of a network or on a host machine to analyze incoming and outgoing traffic. By utilizing a custom C-based pcap integration and Python's Scapy library, packets are decapsulated layer-by-layer to identify malicious signatures and anomalies.
Key Detections
- ARP Spoofing & Cache Poisoning
- ICMP Tunneling & Ping Sweeps
- DNS Tunneling Detection
- Stealthy Port Scanning (TCP/UDP)
- Brute Force Attempt Tracking
The User Experience
Lightweight Desktop Interface
AmanoWatch features a custom-built GUI designed for speed and clarity. Built using PyQt and themed to match a high-contrast terminal environment, the interface provides security professionals with a clean look at chaotic network traffic.
- Live Dashboard: Real-time packet updates without system lag.
- Smart Filtering: Quickly isolate traffic by IP, Protocol, or Threat Level.
- Visual Alerts: Critical threats are color-coded in "Cyber Red" for immediate recognition.
Building the Interface
The primary challenge was ensuring the GUI remained responsive while processing high-volume network data. I implemented a multi-threaded architecture where the backend handles packet dissection while the frontend updates via a thread-safe queue, ensuring zero frame loss during high-throughput peaks.
The "Honeyport" Feature
One of the standout features of AmanoWatch is its integrated Honeyport. It opens listener sockets on commonly targeted but unused ports. Any connection attempt to these ports triggers an immediate high-priority alert, effectively flagging automated scanners and active attackers early in the reconnaissance phase.
Logging & Forensics
AmanoWatch doesn't just alert; it logs. Every detection is timestamped and categorized, allowing security professionals to perform post-incident forensic analysis. This helps in understanding attack patterns and hardening the network against future intrusions.